Allow multiple users to run several root commands

 
Thread Tools Search this Thread
Operating Systems Linux SuSE Allow multiple users to run several root commands
# 1  
Old 11-30-2011
Allow multiple users to run several root commands

I am using SUSE Linux Enterprise Server 10 SP2 (i586) and I had earlier ammended my sudoers file to allow users to become root user with "sudo su - " command

Now I am trying to add multiple users to the sudoers file to run several commands such as restarting the server, restarting the nagios services and for test purposes to edit the sudoers file (won't be implemented, it's just for test purposes)

When I had defined the host, user, and command alias in the sudoers life as such, I wasn't able to save the file. I kept getting this message:

Code:
>>> sudoers file: syntax error, line 13 <<<
sudo: parse error in /etc/sudoers near line 13

followed by options if I'd like to continue to edit, quit or save and exit (dangerous)

And this is how my sudo file look like:

Code:
my-mnag0:/etc # more sudoers
# sudoers file.
#
# This file MUST be edited with the 'visudo' command as root.
#
# See the sudoers man page for the details on how to write a sudoers file.
#

# Host alias specification

Host_Alias    LAN = my-mnag.os.itelligence.com.my

# User alias specification

User_Alias    GHELPDESK = test

# Cmnd alias specification

Cmnd_Alias    SUDO = visudo

# Defaults specification

Defaults    logfile=/var/log/sudo.log, log_year

# prevent environment variables from influencing programs in an
# unexpected or harmful way (CVE-2005-2959, CVE-2005-4158,
# CVE-2006-0151)
Defaults always_set_home
Defaults env_reset

# In the default (unconfigured) configuration, sudo asks for the root password.
# This allows use of an ordinary user account for administration of a freshly
# installed system. When configuring sudo, delete the two
# following lines:
#Defaults targetpw    # ask for the password of the target user i.e. root
#ALL ALL=(ALL) ALL # WARNING! Only use this together with 'Defaults targetpw'!

# Runas alias specification

GHELPDESK     LAN = SUDO

# User privilege specification
root    ALL=(ALL) ALL
%wheel  ALL=(ALL)       ALL
%infra ALL=(ALL)        ALL

# Same thing without a password
# %wheel        ALL=(ALL)       NOPASSWD: ALL

# Samples
# %users  ALL=/sbin/mount /cdrom,/sbin/umount /cdrom
# %users  localhost=/sbin/shutdown -h no

changes are in different color and in bold

So what did I do wrong?

And yes, user test exists on the server:

Code:
my-mnag0:/etc # finger test
Login: test                             Name: test
Directory: /home/test                   Shell: /bin/sh
Never logged in.
No Mail.
No Plan.
my-mnag0:/etc #

# 2  
Old 11-30-2011
Hi again hedkandi, I think the mistake is under the line:
Code:
Defaults    logfile=/var/log/sudo.log, log_year

If I am not mistaken it should be:

Code:
Defaults    log_year, logfile=/var/log/sudo.log

Regards.

Last edited by sagoiz; 11-30-2011 at 09:14 AM.. Reason: I forgot to delete the last option.
# 3  
Old 11-30-2011
Hi sagios

Thank you for the correction

I made the changes above but when i logged on as test user I am still not able to edit the sudoers file, I am getting permission denied & command not found error:

Code:
my-mnag0:~$ cd /etc
my-mnag0:/etc$ visudo
-sh: visudo: command not found
my-mnag0:/etc$ vi sudoers

---------- Post updated at 07:39 PM ---------- Previous update was at 07:36 PM ----------

and when a normal user attempted to "sudo su -" to become root it fails because of this parse error in sudoers file

Code:
my9849
my9849@my-mnag0:~> sudo su -
>>> sudoers file: syntax error, line 17 <<<
sudo: parse error in /etc/sudoers near line 17

my-mnag0:~ # visudo
Warning: undeclared Cmnd_Alias `SUDO' referenced near line 39

# sudoers file.
#
# This file MUST be edited with the 'visudo' command as root.
#
# See the sudoers man page for the details on how to write a sudoers file.
#

# Host alias specification

Host_Alias    LAN = my-mnag.os.itelligence.com.my

# User alias specification

User_Alias    GHELPDESK = test

# Cmnd alias specification

Cmnd_Alias    SUDO = visudo

# Defaults specification

Defaults    log_year, logfile=/var/log/sudo.log

# prevent environment variables from influencing programs in an
# unexpected or harmful way (CVE-2005-2959, CVE-2005-4158,
# CVE-2006-0151)
Defaults always_set_home
Defaults env_reset

# In the default (unconfigured) configuration, sudo asks for the root password.
# This allows use of an ordinary user account for administration of a freshly
# installed system. When configuring sudo, delete the two
# following lines:
#Defaults targetpw    # ask for the password of the target user i.e. root
#ALL ALL=(ALL) ALL # WARNING! Only use this together with 'Defaults targetpw'!

# Runas alias specification

GHELPDESK     LAN = SUDO

# User privilege specification
root    ALL=(ALL) ALL
%wheel  ALL=(ALL)       ALL
%infra ALL=(ALL)        ALL

# Same thing without a password
# %wheel        ALL=(ALL)       NOPASSWD: ALL

# Samples
# %users  ALL=/sbin/mount /cdrom,/sbin/umount /cdrom
# %users  localhost=/sbin/shutdown -h now

so i had to login as root and revert all changes, would it work if i defined at the end of the sudoers file with specific commands for multiple users?

Last edited by hedkandi; 11-30-2011 at 11:41 PM.. Reason: forgot to close code syntax
# 4  
Old 12-01-2011
Hello again, you need to give complete path:

Code:
Cmnd_Alias    SUDO = /usr/sbin/visudo

And while running the command you still need to give the full path:

Code:
> sudo /usr/sbin/visudo

I would also recommend you to use Yast, I know you may not be used to it, but it works like a charm once you get confident with it.
You can find free training materials at the link below, they are a little bit old, but as you are dealing with SLES 10, you will not notice it. :-)

Courses Available &mdash; Novell

Regards.
# 5  
Old 12-01-2011
Hi sagios

mate i think you're right about yast

anyways I just amended what you had provided and guess what?

Code:
my-mnag0:~$ sudo /usr/sbin/visudo

We trust you have received the usual lecture from the local System
Administrator. It usually boils down to these three things:

    #1) Respect the privacy of others.
    #2) Think before you type.
    #3) With great power comes great responsibility.

test's password:
test is not allowed to run sudo on my-mnag0.  This incident will be reported.

do i have to add test user to sysadm group or something?
# 6  
Old 12-01-2011
Hello, ok, this is what I did to reproduce your conf.

From your conf remove the line:
Code:
GHELPDESK     LAN = SUDO

Then to add a runas alias:

Code:
Runas_Alias    ROOT = root

Then add a user to allow the use of sudo:

Code:
GHELPDESK LAN = (ROOT) SUDO

Hope it works this time.

Regards.
This User Gave Thanks to sagoiz For This Post:
# 7  
Old 12-01-2011
ugh! it failed again!

Code:
my-mnag0:~$ sudo /usr/sbin/visudo
test's password:
test is not allowed to run sudo on my-mnag0.  This incident will be reported.
my-mnag0:~$ date
Fri Dec  2 12:12:24 MYT 2011

Code:
# Host alias specification
Host_Alias    LAN = my-mnag.os.itelligence.com.my
# User alias specification
User_Alias    GHELPDESK = test
# Cmnd alias specification
Cmnd_Alias    SUDO = /usr/bin/visudo
# Defaults specification
Defaults    log_year, logfile=/var/log/sudo.log
# prevent environment variables from influencing programs in an
# unexpected or harmful way (CVE-2005-2959, CVE-2005-4158,
# CVE-2006-0151)
Defaults always_set_home
Defaults env_reset

# In the default (unconfigured) configuration, sudo asks for the root password.
# This allows use of an ordinary user account for administration of a freshly
# installed system. When configuring sudo, delete the two
# following lines:
#Defaults targetpw    # ask for the password of the target user i.e. root
#ALL ALL=(ALL) ALL # WARNING! Only use this together with 'Defaults targetpw'!

# Runas alias specification
Runas_Alias     ROOT = root
# User privilege specification
root    ALL=(ALL) ALL
%wheel  ALL=(ALL)       ALL
%infra ALL=(ALL)        ALL

GHELPDESK LAN = (ROOT) SUDO
# Same thing without a password
# %wheel        ALL=(ALL)       NOPASSWD: ALL

# Samples
# %users  ALL=/sbin/mount /cdrom,/sbin/umount /cdrom
#%test  localhost=/sbin/shutdown -h now

can we try with a different command? (i.e start stop a service such as httpd or something like that)

Last edited by hedkandi; 12-01-2011 at 11:54 PM.. Reason: red highlights
Login or Register to Ask a Question

Previous Thread | Next Thread

10 More Discussions You Might Find Interesting

1. Shell Programming and Scripting

Run multiple commands in ssh

Hi All, I have the below requirement. I want to copy the local file to remote after that i need to run the local script on a remote machine.When i use two ssh commnds i can achieve this. But i want to achieve this using one ssh command. Below command to copy the local file to remote ssh -q... (2 Replies)
Discussion started by: mohanalakshmi
2 Replies

2. AIX

List of AIX commands that can be run by ROOT user ONLY

Hello, I am testing sudo and I want to test it. Can anyone please let me know few commands (of course other than shutdown, reboot etc. as I can't reboot the box) on AIX that can be run by ROOT only. Thanks ---------- Post updated at 07:43 PM ---------- Previous update was at 07:38 PM... (5 Replies)
Discussion started by: prvnrk
5 Replies

3. Shell Programming and Scripting

Script to run commands as root user

Hello I have a script which is working fine so far to generate HTML file. Now i am wondering how do i include a syntax where it can change itself to root user and execute a specific commands as root user. Please help, Thanks in advance. -Siddhesh (2 Replies)
Discussion started by: Siddheshk
2 Replies

4. AIX

track commands run as root after sudo

I'm looking for a way to track commands that are run as root after a user runs sudo su - root. I have a profile set up for root that will track the commands by userid but if we change the shell it only stores it in that shells history file. (2 Replies)
Discussion started by: toor13
2 Replies

5. UNIX for Dummies Questions & Answers

Run multiple commands

Hi All, Is it possible to run second/multiple commands at a time in script before the completion/return of first command? Pls reply. (5 Replies)
Discussion started by: cns1710
5 Replies

6. Red Hat

Restricting multiple users to run only sftp server

Hello, can someone please provide steps, can I restrict a multiple users to only access only sftp on a server, to perform upload and download of files on their home directories. 1. I have updated their login shell as /sbin/nologin. anything else do I need to update. Thanks, (3 Replies)
Discussion started by: bobby320
3 Replies

7. UNIX for Advanced & Expert Users

audit user commands of different users under root account

Hi, I would like to know if there is anyway that I can pinpoint the user before/after he connects to the root? Also, I'm trying to find out what are the commands he inputs under root access. (6 Replies)
Discussion started by: pointgetter0
6 Replies

8. Red Hat

Giving access to non root users to run application

Hi All, I have created an RPM installer and installed it via ROOT user & which works fine on Red Hat. But the problem oocurs when a non root users try to run that application (from their account), it never got executed (being it has the execute permission i.e. chmod a+x somefile.sh). I want... (6 Replies)
Discussion started by: jw_amp
6 Replies

9. UNIX for Dummies Questions & Answers

How to allow access to some commands having root privleges to be run bu non root user

hi i am new to unix and i have abig task. i have to \run particular commands having root privileges from a non root user. i know sudo is one of the way but i need sum other approach kindly help Thanks (5 Replies)
Discussion started by: suryashikha
5 Replies

10. Shell Programming and Scripting

How a normal user run a script including root privileaged commands

Dear all Ihave written a script in Hpux9.0, the ecript is working fine if I run it from root command prompt But when I am running it thru /etc/profile or /user/.profile and login as a normal user, the owner of the process running the script is the normal user & hence cant run a root privileaged... (7 Replies)
Discussion started by: initin
7 Replies
Login or Register to Ask a Question